Windows Defender Application Control (WDAC) is a security feature that controls what is allowed to run on a Windows OS. This post describes creating a basic policy that allows Windows to boot and function. It is the first step in creating a WDAC policy for production.
Application Control is an essential security feature for the desktop. WDAC is the native Windows 10 implementation of Application Control, following AppLocker on Windows 7. But WDAC is quite hard to use, and has the potential to block the OS from booting entirely. This step creates a basic policy that we can test and implement, to make sure everything works as expected. After this, we can add other rules and options to make a policy for production.
Microsoft supplies example policies at C:\Windows\schemas\CodeIntegrity\ExamplePolicies. The policy AllowMicrosoft.xml is enough to allow Windows to boot and function. We can use this as a base.
We can open the policy in an XML editor like Visual Studio Code to see what it does.
- Does not require the policy to be signed with a certificate
- Allows getting to the advanced boot menu in case the OS will not boot
- Includes user mode as well as kernel mode code (the UMCI option)
The other options are explained elsewhere.
You can see that the policy allows code signed with a number of Microsoft certificates.
This policy is in Enforced mode because the rule options do not include “Enabled:Audit Mode”. That’s OK, because it will still allow Windows to boot. But to change it to Audit mode, copy the policy with another name (e.g. AllowMicrosoft_Audit.xml) and run: Set-RuleOption –FilePath [path to policy] –Option 3
To turn this into a usable policy, we need to convert it to a binary format. Run ConvertFrom-CIPolicy -XmlFilePath [path to the XML policy file] -BinaryFilePath [path to save the binary file]. You can use a .bin or a .p7b extension for the binary files. It doesn’t matter which. Ignore the warning message for the moment.
The reason I have chosen this as a basic policy is that it will allow Windows and other Microsoft applications like Office 365 to run. This way, we can have a minimal functioning desktop with a working WDAC policy. We will add other rules and options later. Next step: Test a WDAC Policy